We have discovered a vulnerability in Android that can render a phone apparently dead – silent, unable to make calls, with a lifeless screen. This vulnerability is present from Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop). Combined, these versions account for more than half of Android devices in use today. No patch has been issued in the Android Open Source Project (AOSP) code by the Android Engineering Team to fix this vulnerability since we reported it in late May.

This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.

In some ways, this vulnerability is similar to the recently discovered Stagefright vulnerability. Both vulnerabilities are triggered when Android handles media files, although the way these files reach the user differs.

The kicker: Google calls it “a low priority vulnerability.”

There’s going to come a day of reckoning here. Some day, some way, several million people will be hit with an exploit — probably though a fake news site or infected video about a major news story that spreads like wildfire through Twitter — that will create a class-action lawsuit that Google will have to deal with for years.

And the bad press from that will cause a huge decline in Android device sales.

The level of access attackers would gain would allow access to files stored on SD cards as well as on the phone memory. Attackers could also turn your phone into a bug, remotely recording audio and video without your knowledge. Bluetooth access is also hackable via Stagefright. All versions of Android from 2.2 and up are considered vulnerable.

Its Android One partnerships mean Google no longer has to put its eggs in one basket, and also make sure that local OEMs stick with Android as Google envisages it, not as handset makers and operators would have it. Google seems to have been increasingly trying to reduce others’ influence on the operating system — banning the customisation of Auto, TV, and Wear; wrestling Samsung over its Magazine UI; and gradually withdrawing its support for the AOSP version of Android.

Android One is just the next step in that progression. Google is using the lure of a turnkey mobile platform to get everyone else in the value chain to give up hope of tweaking Android for their own ends. While most handsets in developed markets use the GMS version of Android, which puts Google’s services front and centre, in the developing world AOSP — the original open source Android that can be forked and adapted at will — is far more prevalent. Google has been slowly allowing AOSP to wither and has now stepped in with Android One an alternative — an alternative that puts Android back under its control and its services back in users’ eyelines.